As an Assessed Third-Party – Tips and Tricks to Make the Best Use of Your Time and Efforts

by Shane Hasert

Being a Third-Party Service provider in the Financial Services or Healthcare industry becomes more difficult every day with the heightened regulatory environment we find ourselves in. In 2018, responding to customer requests for due diligence information continued to rise for assessed organizations.

One challenge is associating timeliness metrics to these requests, as the ask can vary from the seconds it takes to send a business certificate of insurance to the weeks or months it may take to complete an ‘internal and proprietary’ questionnaire and provide supporting documentation.

The paradigm shift I have seen, partly from necessity as many of the assessors are neither security nor risk professionals, is that the outsourcer isn’t always right and doesn’t always know what they are asking for or what to do with the data once they have it. This is my opportunity to share with those being assessed some short cuts to make everyone’s life a bit easier.

Related: How Do I Select Which Vendors To Risk Assess?

Consider a data sharing site – If permitted by your organization, upload the most commonly requested information to a ‘self-serve’ data room where you can control the content, access, visibility, and properties. These services (which should also be assessed as your third-party) are both cost-effective, time savers and can be appropriately secured. Documentation loaded to this platform should be sanitized but should provide enough information for an assessor or auditor to determine the next steps of the review. Documentation to consider uploading to this platform includes:

• A welcome message with a bibliography, dates of last review and a point-of-contact
• If a public company, a document with links to publicly available financials and filings, leadership biographies, organizational history, code of conduct and ethics, etc
• Summary of business insurance and/or Certificate of Insurance (CoI)
• Statement of Red Flags and/or SOX compliance
• Cybersecurity overview
• Bibliography of policies (include a table of contents when possible)
• Attestation or process for gaining access to a completed assessment report (i.e. CyberGRX, SOC, PCI, etc)
• Business resiliency executive summary
• High-level data flow diagrams

Consider annual completion and independent validation of audits or assessments that are either recognized by your specific industry or are more holistic and accepted across multiple industries (CyberGRX, ISO, NIST, etc). While these shouldn’t be available to everyone, as they may contain some sensitive information, including instructions on how to gain access to these reports is recommended.

As an assessed organization, you are going to answer the same questions over and over and over again. I always found it helpful to maintain a library of ‘canned’ statements for the most common requests, after all, cutting and pasting with minor editing is much easier than re-writing the same thing multiple times.

Speaking of recycling, every questionnaire or unique responses provided to customers should be archived and cataloged. Many outsourcing organizations tend to use the same questionnaire year over year, without providing the previous year’s responses. Often times there were slight changes, but at least you can retain a foundation or baseline of how you have answered in the past.

Whether the assessor or the assessed, when an organization chooses to outsource products or services to a third-party, they are entering into a ‘relationship’ with that vendor and like any relationship, it must be a two-way street, not a highway and a bike path. Working together to lower the burden of extra work on the third-party while meeting the regulatory requirements of the outsourcing organization is a fine balancing act that is worth the time and effort of both organizations.

SHANE HASERT
SENIOR SECURITY RISK ANALYST